Buzzz: Researcher Creates Honeypots To Lure In ICS Attackers

High profile malware attacks -- like Stuxnet, Duqu, and Flame -- have made the security surrounding Industrial Control Systems (ICS) and specifically Supervisory Control and Data Acquisition (SCADA) a very big topic.

These attacks piqued the interest of Kyle Wilhoit, a Threat Researcher at Trend Micro, who wanted to find out what was really being targeted during these ICS/SCADA attacks and what these attackers were after. To answer his questions, he developed a honeypot architecture that would emulate several types of ICS/SCADA devices and mimic those that are commonly Internet facing. The honeypots were given traditional vulnerabilities found across similar systems, showcasing a very realistic honeypot environment.

He released his findings in a report (PDF) titled, "Who’s Really Attacking Your ICS Equipment?"

Wilhoit discovered that not only are these systems incredibly vulnerable, but -- like bees to honey -- the attacks happened with shocking speed and repeated ferocity.

Security Bistro spoke to Wilhoit, who said the results surprised even him.

"I not only didn't expect the results of the honeypot environment, I didn't expect the attacks to occur so quickly," he said. "My expectations going in revolved around traditional automated attacks that often present themselves in Internet facing devices, not necessarily attacks that appeared to be against ICS/SCADA devices."

Wilhoit, who made it somewhat easy on potential attackers by naming the honeypots "SCADA-1," "SCADA-2," and so on, said in his findings that it only took 18 hours to discover the first signs of an attack against one of his dummies.

In the 28 days Wilhoit left these Honeypots active, there were 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.” All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same netblock, he wrote.

We asked Wilhoit if deploying a device that prevented port scans would have made a difference in protecting these control systems.

"Unfortunately, a device (such as a firewall) that can help stop some port scanning may have slowed some attackers down, but motivated attackers would have found and compromised the device regardless," he said.

Wilhoit said that what these attackers tried to do to these "fake" systems would have been devastating to a genuine ICS/SCADA system.

"These attackers not only attempted to modify the pumps themselves, they also attempted to exfiltrate 'sensitive' data off the servers once compromised," he said. "Many of the attacks that were performed would have been catastrophic to the operation/maintenance of the pump."

In addition to the repeat offenders, Wilhoit also discovered a surprising number of malware exploitation attempts on the servers.

"I didn't expect these attacks to include a targeted phishing email," he said.

As for preventative measures, Wilhoit told Security Bistro that many things could be done to mollify this type of attack.

"Removing access from the Internet would be a start. This would reduce the footprint of these devices and make it more difficult for attackers to locate. In addition, keeping all patches up to date and utilizing two-factor authentication on all 'critical' systems is important," said Wilhoit.